VBS.LoveLetter Fix

The VBS.LoveLetter Fix tool removes the changes that were made to a computer by all known versions of the VBS.LoveLetter worm except VBS.LoveLetter.CA, VBS.LoveLetter.BJ, VBS.LoveLetter.BM and VBS.LoveLetter.AS.

Caution: Before you run the tool, you must update to the most recent virus definitions and run a full system scan, making sure that Norton AntiVirus (NAV) is set to scan all files. If you run the tool before scanning your system, you may see warnings that indicate that files have been infected with LoveLetter. If you see any such warning, choose to delete the files.

Notes:

This tool will have limited effectiveness if you have been infected with VBS.NewLove.A. This variant of LoveLetter destroys all files on the system that are not in use. Therefore an infected system will most likely be unstable.

If you are running this tool on Windows NT or Windows 2000, you must have Administrator-level privileges.

When the tool has finished running, you will see a message indicating whether or not the computer was infected by VBS.LoveLetter.

If you are an administrator, and you want to run the tool without displaying the information dialog box, run the tool with the /auto command line switch; for example, C:\Windows\Desktop\fixlove.exe /auto

The digital signatureFixlove.exe is digitally signed. Symantec recommends that you only use copies of Fixlove.exe that have been downloaded directly from the SARC download site. To check the authenticity of the digital signature, follow these steps:

HKEY_USERS\[USER NAME]\Software\MicrosoftWindows\CurrentVersion\Run (This is done for all users.)

Removes Winfat32.exe, Win-bugsfix.exe, and all .vbs entries from the following registry subkeys:

Restores the Timeout value for the Windows Scripting Host key for all users, if present:HKEY_USERS\username\SOFTWARE\Microsoft\Windows Scripting Host\Settings

Sets the starting page for Internet Explorer in the following registry subkey http://www.symantec.com/avcenter/repair_instruct.html:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

Removes all DWORD values from the following registry subkey except for LDAP Connection Timeout and Server ID (This is done for all users):HKEY_USERS\[USER NAME]\SOFTWARE\Microsoft\WAB

Searches all local hard drives for hidden .mp3 and .mp2 files, and removes the hidden attribute.

Searches all local hard drives for LoveLetter Script.ini files. If found, the Script.ini file will be overwritten with a blank file that contains just one line:[SCRIPT]